EUVD-2026-33357

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation...

Dokploy 操作系统命令注入漏洞

Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.28.8 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from the tRPC endpoint of application.updateTraefikConfig, where authenticated OS commands cou...

CVE-2026-25123

Homarr is an open-source dashboard. Prior to 1.52.0, a public unauthenticated tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF...

EUVD-2026-3318

Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion...

tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Note that this vulnerability is only present when using experimentalcaller / experimentalnextAppDirCaller. Summary A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by...

GHSA-43P4-M455-4F4J tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Note that this vulnerability is only present when using experimentalcaller / experimentalnextAppDirCaller. Summary A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by...

Prototype Pollution

Overview @trpc/server is a The tRPC server library Affected versions of this package are vulnerable to Prototype Pollution via the formDataToObject function. An attacker can modify Object.prototype by submitting specially crafted FormData field names, which may result in authorization bypass,...

CVE-2025-68130

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router...

EUVD-2025-203822

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router...

PT-2025-51757

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router...

Malicious code in @trpc-rate-limiter/hono (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e86780189d32c5c6215833b83e8ff4274af92653c41f51d8cb8f9c1e5262bccf The package @trpc-rate-limiter/hono was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191328 Malicious code in @trpc-rate-limiter/hono (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e86780189d32c5c6215833b83e8ff4274af92653c41f51d8cb8f9c1e5262bccf The package @trpc-rate-limiter/hono was found to contain malicious code. Source: ghsa-malware...

Malicious code in @trpc-rate-limiter/cloudflare (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f7b0945d5b218d0b4e212ee38448f7de192939870c55e4ef4edb17bfc318d01 The package @trpc-rate-limiter/cloudflare was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-199280

Malicious code in @trpc-rate-limiter/cloudflare npm...

CVE-2025-63783

A Broken Object Level Authorization BOLA vulnerability was discovered in the tRPC project mutation APIs update, delete, add/remove tag of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for...

CVE-2025-63783

A Broken Object Level Authorization BOLA vulnerability was discovered in the tRPC project mutation APIs update, delete, add/remove tag of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for...

Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module

Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: "naive" to the tRPC endpoint tools.search.crawlPages, the server issues outbound HTTP requests directly to those URLs. There is no defensive logic that restricts or validates requests to...

EUVD-2025-12106

Malicious code in bioql PyPI...

CVE-2025-59305

Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as backgroundMigrations.all,...

Denial Of Service (DoS)

@trpc/server is vulnerable to Denial Of Service DoS. The vulnerability is due to improper input validation due in unhandled error when validating malformed connectionParams in WebSocket connections, allowing unauthenticated users to crash the server...